Apple Not Trying Hard Enough to Protect Users Against Surveillance, Researchers Say

[JMacHack]

Did you even read the article ?

quote: "The truth is that we are holding Apple to a higher standard precisely because they're doing so much better. Android is a free-for-all. I don't think anyone expects the security of Android to improve to a point where all we have to worry about are targeted attacks with zero-day exploits."

Translation: "we're focussing on Apple because we've given up hope that Android will ever be secure."

Ssh, don’t burst his bubble.

If I may throw my two cents in, I’m glad we hold Apple to high standards of privacy given that they market their products that way.

However, I’m not so delusional to think that world-class security researchers and government agencies wouldn’t find it’s way into my phone, or to expect protection from zero day attacks.

 

[eoblaed]

They once allowed access to the root user on macOS with no password whatsoever. You can make some arguments on privacy — much of it is marketing bluster, but they have done some good work — but Apple’s record on security is…not sterling.

No company is perfect. In products and systems as complex as these, mistakes will occasionally creep in despite best efforts. If we compare Apple's record to any of their competition, however, we'll see a huge qualitative difference in Apple's favor.

The nature of the issue isn't mistakes vs. not mistakes, though. It's about intent, and approach, and philosophy, and implementation of models to protect users and in that end, Apple clearly stands head and shoulders above the rest.

And privacy is not simply bluster for Apple. Not even close.

 

[Apple_Robert]

The researchers failed to meaningfully quantify their statements about Apple. As such, the article is rather meaningless as presented.

 

[HudsonSteele]

This title is funny. It's not Apple, Google, Amazon, Huawei, or the governement's job to keep me safe. Yes they have a minimum responsibility, but the whole "not doing enough" suggests they have to make up for peoples stupidity. Its a good business model to protect your customers. Apple goes the extra mile more than almost any company. But businesses and criminals are greedy and consumers can be stupid (which is why businesses and criminals continue to flourish). Yes it sucks when we get spied on, but its our responsibility to be careful with what we do on our devices.

 

[andrewxgx]

Oh really? What do these same researchers have to say about Google, Amazon, Facebook et al?

how about everyone knows they don't give a damn about privacy and so no one privacy-conscious is actually using them?

 

[Jason2000]

"...Android is a free-for-all. I don't think anyone expects the security of Android to improve to a point where all we have to worry about are targeted attacks with zero-day exploits."

So true and I am sure this will hurt the feeling of Android fanboys everywhere...lol.

 

[edgonzalez32]

It's a secure Ecosystem, but many users leave the door open with passwords like: 1234, Imdabest, password, mydogsname, etc... So who's fault is it?

Ah ok, lets just blame the users. Got it.

 

[Naraxus]

As much as I criticize Apple for things privacy isn't one of them

 

[citysnaps]

The researchers failed to meaningfully quantify their statements about Apple. As such, the article is rather meaningless as presented.

Spot on. Their view is whatever Apple's doing (because they really don't know the extent of what Apple is doing), it's not enough.

 

[zakarhino]

Oh really? What do these same researchers have to say about Google, Amazon, Facebook et al?

It's usually a good idea to read the article before posting a response:

"The truth is that we are holding Apple to a higher standard precisely because they're doing so much better. Android is a free-for-all. I don't think anyone expects the security of Android to improve to a point where all we have to worry about are targeted attacks with zero-day exploits."

 

[eicca]

It's usually a good idea to read the article before posting a response:

"The truth is that we are holding Apple to a higher standard precisely because they're doing so much better. Android is a free-for-all. I don't think anyone expects the security of Android to improve to a point where all we have to worry about are targeted attacks with zero-day exploits."

Pfffff. Who has time for that? I just want reaction points.

 

[zakarhino]

"A greater level of access to the operating system itself would, they claim, help to catch attacks and vulnerabilities more easily. "

Sure...just like making easier for thieves to enter my home, I actually make it safer because it is easier to catch them.

You don't know what you're talking about. It's like designing a lock for your home and not letting anybody see how the mechanism was designed. You're hoping it will work based only on your POV of lock design. Opening up the source code of core security implementations on iOS is the equivalent of letting many professional white hat thieves come and try break down your door with you watching. A different set of eyeballs (that are potentially significantly more adept at you when it comes to theft prevention) can help make your locking mechanism stronger. You don't know whether or not you missed something blatantly obvious on your lock design. Maybe you spent all that time building your lock that didn't screw in the door hinges -- in that scenario your lock would be completely pointless.

More eyeballs from more perspectives = more people finding exploits/bugs = better security implementations. That's why you're often advised not to "roll your own" encryption strategy, it won't have been through the vigorous, multi-eyeball shake down that existing systems have gone through.

 

[zakarhino]

“Johns Hopkins University cryptographer Matthew Green similarly said: ‘Apple is trying, but the problem is they aren't trying as hard as their reputation would imply.’”

What a bunch of rubbish. This is a qualitative opinion, not scholarship or research.

If he wants to criticize Apple for poor security practices, then fine — list it’s shortcomings supported by quantitative data or specific flaws. Let me draw the conclusions on whether those flaws meet or don’t meet its reputation.

"What a bunch of rubbish"

Ordinary people, not even security researchers, have been requesting end to end encrypted iCloud backups for YEARS. All that security and 'privacy' on the iPhone means jack s*** if your entire iPhone is being uploaded to Apple's servers with absolutely no end to end (i.e, only I can access it) encryption.

 

[maxfromdenmark]

Maybe, but at least Apple trying harder than all the others.

 

[zakarhino]

You do have to wonder though if these giant tech companies deliberately leave backdoors whilst espousing safeguarding customer privacy, which would explain why so many updates occur throughout tech industry to close security loopholes that are obviously exploited by Pegasus and no doubt law enforcement agencies etc., using the software. At least Apple respond with the free updates.

No wondering necessary. Apple, Google, Microsoft, and basically every major tech company under the sun all signed up to provide first class support for the NSA's mass spying programs as revealed by the Snowden docs. There have been many convincing arguments made that large tech companies are effectively extensions of the security state given their close workings with each other behind closed doors.

 

[Phil77354]

Maybe, but at least Apple trying harder than all the others.

Well, Apple says that they are putting more emphasis on privacy than most others, and we are generally taking that to mean that they are in fact trying harder.

I hope that they are. I'm not a security expert, how do I know?

One thing we do know is that we live in an age where what is said is more disconnected from what is really happening than probably any earlier time. A sad state of affairs.

 

[Amazing Iceman]

Ah ok, lets just blame the users. Got it.

Let's just say that when a chain breaks, the weakest link is the one to blame.

 

[dampfnudel]

Oh really? What do these same researchers have to say about Google, Amazon, Facebook et al?

They don’t even know where to start with those guys.

 

[_Spinn_]

I’m sure there is always more that can be done but if you are the target of a nation-state you’re pretty much screwed.

 

[jonblatho]

No company is perfect. In products and systems as complex as these, mistakes will occasionally creep in despite best efforts. If we compare Apple's record to any of their competition, however, we'll see a huge qualitative difference in Apple's favor.

The nature of the issue isn't mistakes vs. not mistakes, though. It's about intent, and approach, and philosophy, and implementation of models to protect users and in that end, Apple clearly stands head and shoulders above the rest.

And privacy is not simply bluster for Apple. Not even close.

Sure, a huge qualitative difference and differences in intent, approach, and philosophy, like how Apple often drags its feet on and lowballs payments on bug bounty program reports?

Yes, Apple’s privacy stance is largely either marketing bluster or quietly to its own benefit. For example, why is Apple’s “Ask App Not to Track” feature for third-party apps separate from its “Personalized Ads” setting for Apple apps in an entirely different location — which is enabled by default? Apple brought the hammer down on third-party advertising to bolster its own advertising business, and its well-publicized (for better or worse) recent advertising hiring push reflects this much.

Sure, it’s a net positive for the user, but keep in mind that Apple has absolutely no “philosophy” other than dollar bills. It does not care about you; it cares about your money.

 

[nt5672]

We know, because we have not seen any new FBI complaints, that Apple is now fully compliant with the US government in handing over any and all data Apple has access too. This is something that even Apple's high powered marketing machine cannot overcome. All that needs to happen now is for the next whistleblower to surface and Apple is in deep dodo.

 

[tongxinshe]

There are certain red lines set by NSA that Apple cannot. You cannot make it impossible for NSA to surveillance the world, that’s the hard line no one could EVER cross.

 

[Mousse]

We know, because we have not seen any new FBI complaints, that Apple is now fully compliant with the US government in handing over any and all data Apple has access too.

So you're saying the FBI is going through the courts and getting a warrant like they're supposed and Apple is complying? Good on both. Hey, the system works. What the Feds did before was try to by pass the courts (no warrant) and directly bully Apple. That is unlawful, goes against the 4th amendment.

 

[cupcakes2000]

Good that you mentioned this, a lot of Apple OS vulnerabilities is found and reported by Googles Project Zero Team.
If I were Google, I would stop freely reporting vulnerabilities to Apple, or ask for big sums for more infos.
Google is better at securing iOS than Apple itself, what a joke!

So your answer is to try to actually prevent Apple from knowing about security flaws?these are inherent in every os or app regardless of the maker. your comments could potentially have value if only the obvious Apple hatred wasn’t so absurdly apparent.

That's timmy's utopia.

Actually, a quick look at apples history since the inception of the mac shows it’s always been the case.

If iOS was so private, why does Apple know how many of which iOS version all of their devices are on?

Becuase you must download the update from their servers? They don’t know who, necessarily, but it’s certainly evident how many.

 

[edgonzalez32]

Let's just say that when a chain breaks, the weakest link is the one to blame.

Yup. Keep doing those mental gymnastics.